diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2021-04-22 12:00:54 +0300 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2021-04-22 13:17:29 +0200 |
commit | 3343f376d4bae98ec11fd104e0e211b275e754b8 (patch) | |
tree | a328b67d7604209cc343ae8dc0b9296e5cab8131 /drivers/usb/gadget/legacy/inode.c | |
parent | f88359e1588b85cf0e8209ab7d6620085f3441d9 (diff) | |
download | lwn-3343f376d4bae98ec11fd104e0e211b275e754b8.tar.gz lwn-3343f376d4bae98ec11fd104e0e211b275e754b8.zip |
usb: gadget: prevent a ternary sign expansion bug
The problem is that "req->actual" is a u32, "req->status" is an int, and
iocb->ki_complete() takes a long. We would expect that a negative error
code in "req->status" would translate to a negative long value.
But what actually happens is that because "req->actual" is a u32, the
error codes is type promoted to a high positive value and then remains
a positive value when it is cast to long. (No sign expansion).
We can fix this by casting "req->status" to long.
Acked-by: Felipe Balbi <balbi@kernel.org>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/YIE7RrBPLWc3XtMg@mwanda
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/usb/gadget/legacy/inode.c')
-rw-r--r-- | drivers/usb/gadget/legacy/inode.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c index 71e7d10dd76b..cd8e2737947b 100644 --- a/drivers/usb/gadget/legacy/inode.c +++ b/drivers/usb/gadget/legacy/inode.c @@ -498,7 +498,8 @@ static void ep_aio_complete(struct usb_ep *ep, struct usb_request *req) iocb->private = NULL; /* aio_complete() reports bytes-transferred _and_ faults */ - iocb->ki_complete(iocb, req->actual ? req->actual : req->status, + iocb->ki_complete(iocb, + req->actual ? req->actual : (long)req->status, req->status); } else { /* ep_copy_to_user() won't report both; we hide some faults */ |